> If only it wouldn't collapse by itself after clicking anywhere (clicking seems to activate physics) this would be 10/10
I think that's the other metaphor here.
It's not just standing on the tiny shoulders of one forgotten maintainer. The entire system only appears stable because we're looking at a snapshot of it.
> I'm more concerned about what happens to US now, because I think the attack indicates a complete failure and collapse of the legislative branch of the US government.
Why now? Why not when they took out Soleimani in 2020? Or when they invaded and took out Gaddafi in 2011? Can keep going all the back to Truman invading Vietnam.
I don't know. Have Congress and Senate always been this ineffective? I don't remember Obama, Biden or even Trump 45 act with this much impunity. I obviously can't go further back because I have been here since Obama's second term.
The Iran-Contra scandal from the Reagan administration comes to mind. Congress explicitly de-authorized the executive from funding the Contras in Nicaragua. The executive kept doing it anyway. Nobody faced any consequences, though Congress at least made a lot of noise about it.
That's kind of ineffective, but not to this level where Congress is just fine with blatant illegality.
Way too risky to use Google services like this tied to your primary account. There’s too much risk of cross damage. Imagine losing access to your Gmail because some Gemini request flags you as an undesirable. The digital death sentence of losing access to your email with a company that notoriously has no way for the average human to contact a human is not worth the risk.
Use a custom domain and don't use google for email.
And if you do use your gmail address just forward it and start to transition to something else. With time everything of importance has been transferred.
Use your own domain to sign up for a paid email service, provided by a company that focuses on email. I use Fastmail, but there are many other options.
Set up forwarding in Gmail to your new address.
Then, whenever you log in to a website or app with your Gmail, take a moment to change it to your new address. In a few weeks, most of your important accounts will be covered. In a few months, almost everything you still actively use will be done.
I did this ~5 years ago and the only thing that still arrives at my Gmail is spam.
You can mitigate/speed the process using your password manager too.
I still use a filter in my email so that if something comes in under my Gmail, it gets a special tag that I can filter on and treat those as a todo list. Rarely happens beyond the occasional Google Meet connection.
> Use your own domain to sign up for a paid email service, provided by a company that focuses on email.
Note you don't need to pay. just use zoho mail or any other free email that lets you bring your own domain. Switch email providers as needed without changing your domain
The trouble with paying is that if you forget to pay, you may lose email. (arguably this is also a problem with domains, generally you should pay some years in advance)
You can buy a domain name for like $10 per year; I recommend getting it from porkbun.com.
Cloudflare.com is good too, EXCEPT if you buy your domain from them, you'll be required to use their nameservers until and unless you transfer your domain elsewhere (which you won't be able to do for a while). Though to be fair, their free DNS is good and lots of people use it anyway. It makes email setup slightly more complicated, but it's still doable.
Spaceship.com also has a pretty good reputation, but I think their customer service isn't as good, they're quite new, and they're owned by Namecheap (a bigger domain registrar with a much worse reputation).
Whatever you do, DO NOT buy from GoDaddy. Do not even search for the domain you're considering on GoDaddy. Literally any option is better than GoDaddy.
By far the most reliable TLD options are .com, .net, and .org. These will look relatively trustworthy for email, and the price stays very very stable from year to year. If you don't want to think about it, just get one of these. You can even still find single dictionary word domains for .org or .net relatively easily.
Do not buy any domain marked "premium". This means the owner of the TLD can change the price at renewal as dramatically as they want, for any reason (e.g. if you have a website hosted at that domain that becomes popular). Your $20 per year domain might suddenly become a $300 or $3000 per year domain for no reason but greed, and you wouldn't be able to do anything about it.
Non-premium nTLD's (.club, .horse, .rocks, .theater, etc) can increase quite dramatically in price, BUT the price is required to be set the same for all domains using that nTLD, so they can't target any individual person for having a successful website or whatever. Also, you can pre-buy up to 10 years, which locks in your price for those 10 years. I'd still not recommend them for a primary email, but it's better than buying a "premium" domain. Just be aware that the yearly price might unexpectedly increase in the future.
Some country code TLD's are also good, but for email, probably stay away from the ones that spammers like to use.
___
Anyway, what I actually originally meant to comment about is: if you set up forwarding from gmail and don't check that account regularly anymore, I recommend setting up a gmail filter rule that forwards all your gmail spam to you (their regular forwarding setting leaves it out and just sends it to the gmail spam folder). It's a little annoying to have to re-flag some of the spam as spam in your new email, but gmail has a habit of marking non-spam as spam for me, and if you're not regularly checking that spam folder you can easily miss important email.
Porkbun have started demanding ID verification for registrations, which depending how you feel about current events might make you reconsider having them on your list
> Your $20 per year domain might suddenly become a $300 or $3000 per year domain for no reason but greed, and you wouldn't be able to do anything about it.
I switched to a password manager (bitwarden) about 7 years ago. I have over 200 accounts (not all of them use my @gmail). it would take me weeks to convert those accounts to a new domain, if the application could even support it.
I will admit, many of the accounts are not needed any more. but the process will still be emotionally boring to filter through that.
> ... it would take me weeks to convert those accounts to a new domain ...
I did the same with about the same amount of accounts and it took me the better part of a Saturday. Even if you were really slow and needed five minutes per account, 200 accounts would still only take about 17 hours.
I don't think that's a lot of effort. You could easily spend that time fixing something around the house or garden, which often might not have nearly as big of an impact on personal agency.
For quite some time (approx 8 years) I've used an email forwarding (Blur, but any works) to avoid spam.
This looks like perfect case for change of email, since lot of these accounts can be moved out from Gmail by changing the address that email is forwarded too.
Looks like all this hassle with generating a new email for each service pays for the second time (by ease of changing the main mail), in addition to spam and privacy protection.
I did this but don't forward. Instead, every new email in Gmail I got would prompt me to go update that service's contact info for me.
It probably doesn't matter, but it made me feel a little better because that way Google wouldn't have direct info on to which email/domain I transfered (ignoring other Gmail contacts that start emailing me at my new address(es) ).
Do you use single email address on your domain or multiple for different purposes? Or do you have one main address and throwaway aliases for the one-time registration purposes? I see that the Fastmail provides a single inbox that can handle multiple addresses and wonder how does it work.
I just sold a domain I had for 25 years and used for everything including API endpoints, email, authentication, etc. It took a couple weeks to transition myself and my family/friends.
Pretty sure just moving emails would have take a lot less effort. I had the advantage of keeping the domain until I was ready to move, now imagine Google just turned it off one day and what your workload would be. I shudder to think about having to deal with that.
Register your own domain, use a third-party provider to handle actual sending and receiving (I use proton, which makes the setup very easy), forward your Gmail to your personal domain address and as renewals and reminders come in switch your email on services to your personal domain.
After a year or two losing Gmail becomes an inconvenience; after a few more years it is nothing. As everything is now on your own domain name you can switch providers without affecting anything.
That's what I did about 5 years ago and my only regret is not doing it earlier.
I just migrated to Fastmail (on my domain), it’s fantastic. It works just like Gmail in every way I need, haven’t missed Gmail or Google Calendar one bit. It’s clearly made by people who know Gmail well and understand why it works the way it does. I thought it’d be a huge migration but it was actually boring. Search works, 20 years of emails just magically migrated over. Spam detection is better. Couldn’t be happier!
Accidentally typed gmail.com the other day, it took 4 seconds to load (Fastmail is instant) and when it finished loading there was an ad to try some paid Google service. Felt like a flashback to an abusive ex.
I moved away from a gmail address that was that old, dating back to the invitation-only days. It had become more spam than not, mostly other people who share my initials not knowing their own email addresses. But the possible devastation you mention was more worrying. It had become too much of a risk for my banking and identity generally to not own my email address.
I got a custom domain. I still host it on google, because I know how impossible it is for small companies to have a reasonable program to deal with insider threats. Because of that, I think only one of the giant companies can realistically provide secure email. And the google app suite is great. Now that I pay for google workspace, there's support and appeals available, and if they ban me anyway, I still control the domain and can regain access to everything.
I have not been able to delete the old address, even after 3 years. There are some things like Google Fi that can only use a non-workplace google account. Very, very rarely, I still get an email that matters on it. But I got to the point where I could stop checking it in about 2 months, and now I look at it about once a week quickly, more out of habit than anything else.
The switch was annoying, but not "hard". It was worth it.
I had my Gmail for almost 20 years and made the transition. It's annoying and time consuming but I think well worth it. I bought a domain and host it on iCloud. It's like $3/month for 6 email addresses (you can use it with the family). That includes a little cloud data and other services like hidden email addresses. DNS is handled by Cloudflare for free. Then start moving each service/login to the new email address. Every time you log into something, change the email address. I took the opportunity to update passwords and passkeys too, using Vaultwarden. I was lazy and had used similar passwords for a lot of services. Passwords are all long and unique now.
Now, even if Apple bans me, I can move my host within minutes. I never lose access to my email domain. It's much more professional and I can do catch-all. E.g. netflix@[domain.com]. This way I can see who sells my email address to spammers and block it.
Get your own domain so you can easily change providers in the future. Start with your password manager and change the address on all the accounts you have in there.
After a few years you'll notice you stop bothering to check your Gmail and you can delete it to close the address.
If you need motivation, skim the /r/GMail subreddit and see how many people are getting locked out daily.
Do you have a recommendation for a major email provider as a fallback if you have to pick one?
I vaguely recall encountering a service that only accepted addresses from a whitelist of big providers (Gmail, Yahoo, Outlook, etc.), even @icloud did not qualify.
That's a service that doesn't want your business. If you care, message them about it
I've never once run into a service with such a restriction, but I can imagine someone being that short-sighted. I have seen services that only support "log in with Google or Facebook", which is comparably terrible.
Discogs will not let me login with my own domain (of 30 years) and required one of the big providers. It kept complaining about "risky domain". But that is the only incident I can think of.
It is a top 1000 web site according to Alexa rankings. It would take you about 5 seconds to Google about it. Probably less time than it took you to write your post.
I have heard of that, yeah. It's still busted, but marginally more understandable if they're dealing with a lot of scams. For instance, `.xyz` and some others have bad reputations. I've never seen something that'll reject an arbitrary self-owned `.org`, by way of example.
Sign up at fastmail.com, set up forwarding, change your "reply-to" address. A year later, you'll have nothing arriving in gmail except marketing cruft.
I switched to my own domain ages ago; it only took 2-3 years to stop getting relevant mail to the old one (I put a forwarding rule in place and just used the new one for everything).
Imported all my past mail on day one, forwarding meant I had one inbox only, and I only sent mail from the new domain. A few gentle “please stop using my old address” conversations with family.
It's really not that hard. I switched about 10 years ago. Just every time you log in with your old email, replace it with your new one. Every time you email someone, email them from your new one with a note: "this is my new email". In a few months I had migrated everything to the new email.
make another mailbox (another provider - migadu, fastmail, proton, whoever) that has IMAP as well. (selfhosting.. is PITA. only if u really need it).
install some standalone mail-client - thunderbird, clawsmail, applemail, or k9 , aqua on android, whatever. Attach both mailboxes into that. Find out how to copy an e-mail from one folder into another.
Folder by folder, select all mails, copy from one mailbox into the other. Will take time.
(Beware, some clients (apple) will fuckup the mail-date, anything older than 5 years becomes 5 years old. or it shows like that. YMMV.)
i have made this multiple times, for 20+ years of mails...
Although I am increasingly concerned with its longevity since there's a non-zero risk that Proton might shut down SimpleLogin since Proton Pass has its own alias feature.
There was a time back when we could get generic LoginWIth OAUTH butons along with the social media roster , allowing one to use whichever provider they wanted.
Current state of OIDC should be pretty much standard across most providers - it put it that devs need too make the push to support alt login providers for preventing vendor lockin in identity like were currently barreling towards in hardware/software.
This has its own risk factors. If your domain renewal lapses due to credit card expiry or something and you fail to notice, it's catastrophic. This is just not realistic advice for the average person.
You can usually purchase 10 years up front. But then you should set a reminder for every 3 years or so to keep topping up, or else you'll forget how to even sign into the registrar.
You're right that having a vanity domain for your primary email address isn't for the faint of heart. There isn't any realistic advice for the average person because it's not for the average person.
This wasn't due to some random Gemini request. Users were using sketchy antigravity auth plugins to use their antigravity tokens on things like OpenClaw, clearly against ToS. It's great that Google is giving these users a second chance.
Yes, our masters once again embarrass us unworthy peons with their endless grace, generosity and forebearance. How lucky we are to entrust our data and our lives to them!
It's easy to sneer at huge corps getting mildly scammed by people stretching or breaking the rules. Certainly I don't shed any tears for these corporations.
On the other hand, I have learned that people who are willing to find exploits with trust-based systems operated by huge corps are very often willing to apply that same cheating and exploitation mentality without regard for who the other party is. These are very often the same people who try to coerce teenage cashiers at locally owned shops to accept expired coupons or combine them in invalid ways, or take produce from a roadside farm stand instead of paying into the honor jar. The mentality of cheating the system seems great when it's against huge inhumane corporations, but from what I've personally seen it rarely stops there, and on the whole it contributes to a low trust society.
What upsets me is less the fraudsters, though they are bad as you outline, but just the setup.
Google is in unilateral control of a whole pile of things. Some of them are more critical than others - in particular, if you use a GMail address or Google account to identify yourself to third parties, Google has you by the balls. It has billions of people by the balls. At any time, they could completely ruin your digital life. They don't even need a reason. If they lock you out, you have no way to get their actual attention, or to reverse their decision.
That's coercive power. The need of Google "customers" to keep in Google's good books because it can ruin their day at the flick of a switch is a massive boon for Google.
The power of scammers to defraud local shops pales into insignificance by comparison. And yet, we spend disproportionate amounts of time going after petty crooks, rather than directly addressing large corporations who wield enormous power to enrich themselves with little-to-no blowback. They can pay for the best lawyers on the planet to stretch out and thwart lawsuits and regulatory meetings. They are more powerful than us, and we need to reverse that - unless basically we give up and let them rule us with unchecked power?
A society where everyone feels helpless against a tyrannical ruler is bad, so os one where they can't trust their neighbours. I don't know if they're comparable but I'd prefer neither. I'd like thieves and scammers prosecuted, I'd also like large corporations regulated to within an inch of their lives.
> our masters once again embarrass us unworthy peons with their endless grace
Masters who serve you in exchange for money?
be as sarcastic as you want but you demand a thing they did not agree to provide, for the same money = they have a right not to serve you. If you disagree with that and think they owe you something then you are the one playing master here.
If a 3rd party product advertises compatibility with a Google service and you use it to login via a first party Google login page, doesn’t the responsibility fall somewhere between the offending product and Google itself? In practice it’s structured pretty much like a phishing attempt.
Notably some model providers explicitly allow that very flow, while others will ban you without notice.
Why do you call it self-hosting? It appears to be installable app with a fancy homepage. At what point does the software being covered by an open license changes the responsibility model?
That's exactly what self hosting is, you install some app on your own computer host(s).
> At what point does the software being covered by an open license changes the responsibility model
When you agree to an open license that says you're liable for anything and not the author of the software.
> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
The concern is not losing access to some new IDE for operating outside the terms of service. The concern is when you lose access to the IDE, you also lose access to your 20 year old Gmail account.
A general problem for Google products is that everything is mixed together.
Okay but they were paying customers paying $$$ for the service. Banning your customers without prior warning is not right, however sketchy their behaviour might appear. Even if it's obvious to Google that there's a difference between a Gemini API key and an Antigravity API key, it's not necessarily obvious to others.
The correct and sane thing to do is to send them an email, with at most a 24 hour suspension. If they keep doing it despite being warned then by all means fire them.
I’ll go further: there should be laws addressing account consolidation. Getting banned from an Apple or Google account is an incredibly wide blast radius. It would be like being banned from buying Unilever or Nestle food from your grocery store.
Email providers should be utilities and also legally require a warrant before disclosing any information whatsoever to the government.
Unfortunately the government is full of corrupt geriatrics who do not understand technology and are paid to continue not understanding technology as they sign bills prepared for them by ALEC.
No Google account has been banned for this. People just keep spreading this lie because no one agrees that they have the right to steal the OAuth token.
It's their OAuth token, it's not being stolen. It's just being copied from one place on their computer to another. This is no different than a competing browser importing your localStorage and cookies from Chrome on first launch.
No, the OAuth token is supposed to be used solely with the context of a first-party app only. Clearly, if you need to extract the key by reverse engineering or set up a proxy to spoof requests to a service, you're doing something shady.
> No, the OAuth token is supposed to be used solely with the context of a first-party app only.
The web doesn't work like that. The operators of google.com saying you must only use Chrome to load it is a ridiculous concept. It's not spoofing to use your own access credentials on your own computer to access your own account on an HTTP API.
Most people would agree both that getting rid of cheating is desirable and that the methods of control exerted over users to accomplish it is questionable. It's one of the few freedom/security tradeoffs where people generally agree we have to come down on the side of authoritarian, because otherwise it destroys online gaming as a whole. That scenario doesn't apply here. The world is a complex place.
Technically speaking, they haven’t been able to. There’s really no way of stopping someone using an alternate client if it appears to the server the same way.
The only reason video game cheating is more difficult is because it uses custom protocols and message types, and it needs to be reverse engineered. Usually it’s just easier to reuse the existing game client and patch it to report to the server that everything is normal.
How do so many people think this happened? All of the articles I’ve read have been clear that it did not happen. Yet it’s all over the comments here. Why?
Telling your users they can't use certain software to access your HTTP API is exactly the same as telling people they can't use certain browsers to load https://google.com.
They were banning people and those people couldn’t even cancel their subscription. That’s a rookie mistake and you expect the same company to have a flawless ban system?
yeah exactly have you ever tried to call Google support? it doesn't exist. the only way to contact Google is by posting something on news.ycombinator.com and then hoping that some person who works at that company actually responds to you and logs in somewhere and then changes your access.
> Way too risky to use Google services like this tied to your primary account
As a hedge, you can google.com/takeout on a monthly cadence.
At least a few years ago when raspberry pi nodes were cheap, you could set up rClone to sync the `TAKEOUT` folder of your gdrive account locally and then encrypt it and shove it into backblaze. Then set up a monthly reminder to quickly request a takeout and make sure that you choose the "deliver to google drive" option.
Using Gmail as your primary email has become a serious risk. Email was once a distinct thing but Google tying it to your everything-account makes gmail terrible.
> The digital death sentence of losing access to your email
I agree that the digital death sentence is really bad and doubly so seen that many are using single-sign on tied to their Google identity but...
> with a company that notoriously has no way for the average human to contact a human is not worth the risk
There's definitely phone support for paying Google Workspace users: don't tell me there's not, my wife got Google support on the phone more than once and they've been helpful.
And it's not a crazy expensive subscription either.
> KeePass has long been the gold standard and darling of the tech world, earned through its unrelenting commitment to security, stability, and data sovereignty.
Eh? I always thought of pass[1] in that role.
> Devising a new schema based on SQLite would allow for current features that are being jerry-rigged into the attributes to have their own real place in the database, rather than clogging the user-facing fields. It also ensures that if in the future, some weird authentication method were to come out, no breaking changes would be needed. You simply would add a table to accommodate it, and old clients would simply not support the feature and just load the database without it. Of course, a warning would be shown to the user if somehow their database uses new features on an old client.
Using a relational database does not solve this problem at all. It doesn’t even address it at all.
The original problem is you have multiple implementations defining their own data model. Whether the backend is a file, a database, or a post-it note, that doesn’t work.
Just as you can ignore tables in a database, you can ignore attributes in XML.
My current issue with pass is my difficulty with migrating my private GPG keys to new devices. Makes the experience so much more worse IMO. (I've been using pass for 6 years at this point)
KeePass is for sure better suited for this usecase. There is far less to keep track of, and the unlock mechanism and data are tied together. I've also had inexplicable issues migrating GPG keys cross-platform to where I just do not bother anymore. Ssh/age/minisign just work for my use cases.
> I think you might be underrating the value of even that enabling work. Some parents would not have the financial resources to provide those learning materials. And some parents would take a normative stance on how an 8 year old ought to behave.
And most modern parents would swamp the child with a bunch of mind rotting auto playing TV and video games. There's an account of Terence's time at university where he nearly fails his oral qualifying exams as he spent most of his time playing Civ rather than studying anything. Imagine the travesty for the world if 5 year old Terence had been handed an Xbox.
Many things far more complicated than this have been made illegal.
And yes, people will try to wiggle around it. That's what regulatory agencies are for. Yeah, they don't 100% work. Believe me, you're unlikely to out-cynic me.
A firm can be capitalized by debt or equity. They can have a public offering to and sell share to retire debt. They can issue bonds and use the money to buy back shares. There shouldn't be a moral component to this.
That being said, it seems criminal to take an enormous management fee while sending a company into bankruptcy.
In practice, a "ban" consists of personal loan guarantees of a certain percentage thereby limiting the frequency and magnitude of this sort of financing.
Essentially, that means some amount of corporate risk is leveraged upon the principal investors.
This is common practice in the EU for so-called "club deals".
Conservatives have argued that healthcare providers shouldn't have to provide healthcare to people with whom they differ ideologically. I say they should be careful what the wish for.
Not quite. Conservatives argue they shouldn’t have to provide medical practices like abortion that violate their personal ideologies. They don’t selectively grant them for a subset of the population.
I think that's the other metaphor here.
It's not just standing on the tiny shoulders of one forgotten maintainer. The entire system only appears stable because we're looking at a snapshot of it.
In reality it's already collapsing.
reply